Report: Bug Finders Spot Only 2% of Vulnerabilities

July 11, 2016

By Developer.com Staff

Many developers rely on bug finders to help them root out security vulnerabilities, but a new paper says those tools miss 98 percent of bugs. Researchers from New York University's Tandon School of Engineering, the MIT Lincoln Laboratory and Northeastern University developed a new technique called Large-Scale Automated Vulnerability Addition (LAVA), which adds known vulnerabilities to source code in order to benchmark the abilities of bug finders. When the researchers tested today's popular bug finders with the LAVA approach, the tools identified only 2 percent of the bugs LAVA added to the source code.

"There has never been a performance benchmark at this scale in this area, and now we have one," said Brendan Dolan-Gavitt, an assistant professor of computer science and engineering at NYU Tandon. "Developers can compete for bragging rights on who has the highest success rate in bug-finding, and the programs that will come out of the process could be stronger."